Why did these sticks fail?

Why did these sticks fail? For the silver stick, it's a question that's quite
easy to answer: it uses security by obscurity. The data is just 'hidden' by a
flash-controller that doesn't allow access unless it's sent a certain
USB-packet. Apart from software hacks: fake the packet or change the
controller and you're in. For the white stick, things are a bit different:
this stick uses a sturdy encryption scheme. Ignoring the obfuscation
problem of the silver stick, both sticks use something that's
said to be very secure: fingerprint scanning. Then, why did they fail?

The answer is simple: the key to the encryption has to be stored on the stick
in some way.

This is how it works: If you have a program doing encryption with a password
as a key, the program doesn't have to know the password itself when not used.
You run the program, enter the password, and the password is used to decrypt
the info. Close the program and it will forget the password: it's
stored nowhere on your computer. It's not needed: you yourself can
enter the exact password when you want to have access to your data anymore. But
you must enter exactly the password you've chosen: you can't make any mistake
like using a capital-A instead of a lowercase one.

Fingerprints aren't that precise. If you scan your fingerprint two times,
the scans will always be subtly different. Pressure differences, the way you
slide your finger over the sensor, interference, loss of skin cells... they all
contribute to a certain amount of noise to the picture. You can't encrypt
something with that: you need something that never changes. As far as I know,
it's not possible to distill from a fingerprint a certain piece of data that
never changes, but still has variation enough to make it impervious to
brute-force-attacks.

So, all systems have to take another route: encrypt the disk with a certain
random key and hide that key somewhere together with the fingerprint of the user
of the stick. As soon as the stick is inserted, the user is asked for his
fingerprint and it is then compared to the stored copy. If they match,
the disk is decrypted using the stored key.

The problem with that is simple: if the program handing out the key to the
decryption routine can be hacked, the hacker can, one way or another, get the
key. There's no way around that: the program can access the key and the hacker
can access the program: that means the hacker can access the key.

There are two ways around this: The first one is not to allow the program
access to the key. Truecrypt and other password-based programs do this, but
as I explained, it's difficult for a fingerprint-based solution to do this.
The other way is: don't allow the hacker access to the program. This would
mean embedding a controller in the stick which should do all the
fingerprint-comparing itself. While a really skilled hacker could still
try and get into the microcontroller, it would be much, much more difficult
to get to the data than with a software-based solution. Unfortunately, this
solution is way more expensive than a PC-software-based solution.